Five hours after the Drupal team published a security update for the Drupal CMS, hackers have found a way to weaponize the patched vulnerability, and are actively exploiting it in the wild.
This vulnerability should not be confused with Drupalgeddon 2 (CVE-2018-7600), another Drupal CMS security issue patched last month, which is also heavily exploited. This issue —tracked as CVE-2018-7602— was patched today.
Unlike the Drupalgeddon 2 case, where hackers started exploiting it after two weeks, this time around, they started exploiting CVE-2018-7602 right away. The Drupal Security Team reported detecting attacks five hours after releasing a patch.
The security team is aware that SA-CORE-2018-004, is being exploited in the wild. If you have not updated, please do so now. https://t.co/TVGob2IXvL— Drupal Security (@drupalsecurity) April 25, 2018
The Drupal team was aware that this flaw could have serious repercussions, and issued a PSA on Monday about today's upcoming patch.
The PSA was meant to warn website owners in advance because the Drupal team considered there was "some risk that exploits might be developed within hours or days."
What the Drupal team feared happened in the end, and hackers started exploiting CVE-2018-7602 within hours, even before many website owners had a chance to patch their sites.
The flaw they are exploiting is a remote code execution (RCE) bug that affects both Drupal 7.x and 8.x versions. The vulnerability is rated 20 out of 25 on Drupal's own severity scale, meaning it can give attackers complete control over an attacked site.
Drupal developers said they discovered CVE-2018-7602 while investigating the previous Drupalgeddon 2 vulnerability, and that they are connected.
Both flaws are related to how Drupal handles the "#" character used in its URLs, and the lack of input sanitization applied to parameters supplied via the "#" character.
SA-CORE-2018-004 #drupalgeddon3 #cve-2018-7602 # drupal Exists due to "destination" GET query parameter accepting a URL (with its GET parameters) which is not sanitized with stripDangerousValues() function, this function is the responsible to filter "#" character.— Dreadlocked (@_dreadlocked) April 25, 2018
The Drupal team released Drupal v7.59, v8.4.8, and v8.5.3 to patch CVE-2018-7602.
Seven hours after the patch, and two hours after the first in-the-wild attacks were reported, a user named Blaklis also published weaponized proof-of-concept code for CVE-2018-7602 on Pastebin.
The publication of this code will make it even easier for attackers to compromise Drupal sites. We can expect attacks similar to the Drupalgeddon 2 exploitation attempts —backdoors, coinminers, web-based ransomware, tech support scam redirections, and a bunch of ugly defacements.
Some users are candidly referring to this bug as Drupalgeddon 3.